[LWN Logo]
[LWN.net]
Date:         Mon, 5 Mar 2001 14:10:36 -0700
From: Elias Levy <aleph1@SECURITYFOCUS.COM>
Subject:      Re: Loopback and multi-homed routing flaw in TCP/IP stack.
To: BUGTRAQ@SECURITYFOCUS.COM

A flaw in the standard not on the stack. RFC 1122 "Requirements for Internet
Hosts -- Communication Layers" covers this issue although without pointing
out its security consequences.

>From section 3.3.4.2 Multihoming Requirements:

 There are two key requirement issues related to multihoming:

            (A)  A host MAY silently discard an incoming datagram whose
                 destination address does not correspond to the physical
                 interface through which it is received.

            (B)  A host MAY restrict itself to sending (non-source-
                 routed) IP datagrams only through the physical
                 interface that corresponds to the IP source address of
                 the datagrams.


            DISCUSSION:
                 Internet host implementors have used two different
                 conceptual models for multihoming, briefly summarized
                 in the following discussion.  This document takes no
                 stand on which model is preferred; each seems to have a
                 place.  This ambivalence is reflected in the issues (A)
                 and (B) being optional.

                 o    Strong ES Model

                      The Strong ES (End System, i.e., host) model
                      emphasizes the host/gateway (ES/IS) distinction,
                      and would therefore substitute MUST for MAY in
                      issues (A) and (B) above.  It tends to model a
                      multihomed host as a set of logical hosts within
                      the same physical host.

                      With respect to (A), proponents of the Strong ES
                      model note that automatic Internet routing
                      mechanisms could not route a datagram to a
                      physical interface that did not correspond to the
                      destination address.

                      Under the Strong ES model, the route computation
                      for an outgoing datagram is the mapping:

                         route(src IP addr, dest IP addr, TOS)
                                                        -> gateway

                      Here the source address is included as a parameter
                      in order to select a gateway that is directly
                      reachable on the corresponding physical interface.
                      Note that this model logically requires that in
                      general there be at least one default gateway, and
                      preferably multiple defaults, for each IP source
                      address.

                 o    Weak ES Model

                      This view de-emphasizes the ES/IS distinction, and
                      would therefore substitute MUST NOT for MAY in
                      issues (A) and (B).  This model may be the more
                      natural one for hosts that wiretap gateway routing
                      protocols, and is necessary for hosts that have
                      embedded gateway functionality.

                      The Weak ES Model may cause the Redirect mechanism
                      to fail.  If a datagram is sent out a physical
                      interface that does not correspond to the
                      destination address, the first-hop gateway will
                      not realize when it needs to send a Redirect.  On
                      the other hand, if the host has embedded gateway
                      functionality, then it has routing information
                      without listening to Redirects.

                      In the Weak ES model, the route computation for an
                      outgoing datagram is the mapping:

                         route(dest IP addr, TOS) -> gateway, interface

Its obvious that host that implement the Weak ES model are the ones
vulnerable, while hosts that implement the Strong ES model are not.

--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum